Year in Review: Malware Attacks Impact Operations and the Bottom Line

Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

In 2012, then NSA Chief General Keith Alexander said that cyber-attacks are responsible for the greatest transfer of wealth in history. But in their annual U.S. Securities and Exchange Commission (SEC) filings, most companies have continued to shrug off the impact of intellectual property theft carried out over the internet. CFR’s Cyber Operations Tracker shows only about a dozen known incidents of intellectual property theft by state-sponsored actors.

In 2017, a wave of attacks did hit the threshold of inflicting a serious economic toll. Maersk came clean about the effects of NotPetya in its 2nd quarter filing, reporting $200 to $300 million in lost revenue and cleanup costs. Fedex also reported a hit of $300 million from NotPetya, which hit the recently acquired TNT Express, a Belgian delivery services company. Oreo Cookie maker Mondelez reported a loss of about $150 million and the medical transcription services firm Nuance recorded annual losses of $68 million in November.

Pharmaceutical giant Merck may take the biggest hit of all, reporting third-quarter losses of $300 million and forecasting similar losses for the fourth quarter. The attack caused a production shutdown, forcing Merck to have to borrow vaccines for HPV from the CDC’s national emergency stockpile.

CyberReason puts the total costs across all companies that reported losses at $1.2 billion and climbing. The real costs are likely to be much higher, particularly for the businesses in countries on Russia’s periphery, where many of these cyber incidents originate.

While NotPetya looked like a ransomware attack, companies infected with it had no way to pay ransoms and recover their files. Instead, most analysts agree the attack was carried out by agents of the Russian government to punish Ukraine. The infection spread through a backdoor implanted in accounting software MeDoc that is used widely in Ukraine’s private sector.

Whether Russia’s intention was to just hit Ukrainian businesses or to purposefully target (and try to scare off) global multinationals with operations in Ukraine is anybody’s guess. For my two cents, it would be extremely naive to assume the Russians were not aware of the risk of global contagion.

At year’s end, a few lessons should be drawn from this incident. First, NotPetya makes the elusive concept of “cyber risk” all too real. One of the lessons from these attacks is that cybersecurity strategies at the enterprise level need to take into account geopolitical tensions that may impact their security. Companies need to learn to both weigh the risks and make prudent decisions. Buying a company in Ukraine? Maybe don’t fully integrate its IT with your IT. Keep networks segmented, inspect data flows between those networks and the rest of the enterprise. Don’t use a single global domain controller.

Second, if NotPetya didn’t directly target U.S. companies, imagine what might happen if it did? A supply chain attack on the equivalent of MeDocs in the US could be devastating. We shouldn’t assume it can’t happen here. Many of us in the cybersecurity community have been engaging in ritualistic self-flagellation for missing all the warning signs that Russian would interfere in the 2016 elections. In the case of destructive malware attacks, Russia has now telegraphed how a destructive attack might play out in an escalating conflict with the United States. What is even more astounding is that many American multinational companies directly felt these attacks. Yet, at the end of 2017, NotPetya seems like a distant memory.

Finally, to end on a positive note, many multinational corporations operate in Ukraine; yet, only a few reported being hit hard by the incident. That means that most companies were protected against the attack or were able to detect and stop its spread before it impacted operations. Either that, or they have really good lawyers who concluded that the impact just wasn’t sufficient to warrant reporting to the SEC…